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| MEMORANDUM FOR: \.Assistant-for-—tecermatées, ODA 


! FROM pi ae oe se ISS 
ee : Agency Security Classification Officer, ISAS 


SUBJECT : Executive Order 12065: Access by the Information 
Security Oversight Office to CIA Information 


1. You have requested comments regarding the authority of the 
Information Security Oversight Office (ISO00) to gain access to CIA 
information and the responsibility of the Agency to furnish or deny 
such access. You also have requested views regarding an actual 
request for such access in an ISOO letter dated 12 April 1979. 

The following is essentially a summary of responsibilities relatina 
to access, and a recommended approach to working with ISOO in a 
spirit of cooperation consistent with these responsibilities. 


2. The information to which ISOQ should have access is that 
information which is "necessary to fulfill" IS00 responsibilities 
pursuant to the Order (Sections 5-502(h) and 5-405). Therefore, 
determining ISQO's access authority requires that we first determine 
the extent of IS00's responsibilities: 


a. Section 5-201 of the Order specifies in part that the 
Administrator of General Services shail delegate to IS00 his 
responsibility for "implementing and monitoring the program 

established pursuant to this Order". 


b. Section 5-202 specifies in part that the Director, 
1S00 shall: 


(1) oversee agency actions to ensure compliance with 
the Order and implementing directives; 


(2) consider and take action on complaints and 
suggestions with respect to the administration of the information 
security program; 
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(3) exercise the authority to require that information he 
determines is classified in violation of the Order be declassified, 
subject to agency appeal to the National Security Council (NSC); 


(4) develop implementing directives, in consultation 
with the agencies, and promulgate tham, subject to NSC approval; 


(5) review all agency implementing regulations and 
agency guidelines for systematic declassification review and require 
changes where not consistent with the Order or implementing directives, 
subject to agency appeal to NSC. 


c. Section 5-202(h) specifies that the Director, ISOO shall 
have the authority to conduct on-site reviews of the information 
security program of each agency and to require such reports, information, 
and other cooperation as necessary to fulfill his responsibilities. 

If such reports, inspection, or access to specific categories of 
classified information would pose an "exceptional national security 
risk," the agency head may deny access, subject to Director, IS00 
appeal to NSC. 


d. Section 4-204 specifies, in regard to the "system of 
accounting for special access programs" established and maintained 
by each agency head, that the Director, ISO0 shall have “non-delegable 
access to all such accountings." 


3. ISQ0 responsibilities thus are cast by the Order primarily 
in terms of overseeing agency program implementation and requiring 
information about such programs. Authority for ISO00 access to the 
actual information that is subject to program management is in genera] 
hedged in by provisions for appeal, as in any authority for directing 
action by the agencies. $ 
wo My Cede « 

4. In regard to the responsibilities of the Agency to furnish 
IS0O0 access to information, Section 5-405. specifies that agencies 
shall submit to ISO0 "such information or reports as the Director 


of the Office may find necessary to carry out the Office's responsibilities." 
- Again, the key is necessity to fulfill [S00 responsibilities. The Order 


provides specifically that agencies submit certain items to ISQO: 


a. any designations of “other categories" of information-- 
in addition to the six categories delineated in the Order--that may 
be considered for classification, as determined by an agency head 
(Sections 1-301(g) and 1-304); 
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b. any special procedures for systematic review and 
declassification of information concerning the identities of 
clandestine human agents (DCI only, Section 3-403); 


c. a copy of any information security regulation or 
systematic declassification review guideline (Section 5-401); 


d. notification of violations of the Order or implementing 
directives (Section 5-504). 


5. In addition, ISOO Directive No. 1 provides specifically that 
agencies submit certain items to ISQO: 


a. requests for any waivers from portion marking requirements 
(Section 1.6.9); 


b, declassification guidelines for foreign government 
information (Section III.C.1.b); 


c. requests for any waivers from the 10-year "Subsequent 
review" period after the first systematic declassification review 
(Section III.C.2.b.(2)). 


6. In regard to any authority of the Agency to deny ISO00 access 
to information, Section 4-101 of the Order provides in part that 
"No person may be given access to classified information unless...access 
is necessary for the performance of official duties." Section IV.B.1 
of IS00 Directive No. 1 provides in part that "Classified information 
shall be made available to a person only when the possessor of the 
classified information establishes in each instance...that access is 
essential to the accomplishment of official Government duties....” 


7. In view of the foregoing, the Agency properly may furnish 
1S00 access to information about our Executive Order 12065 implementation 
program, but we may provide access to the actual information that is 
subject to the program only upon an advance showing to our satisfaction 
that the information is necessary to the performance of IS00 
responsibilities. We also must determine in advance that IS00 
access does not conflict with the DCI's statutory responsibility 
to protect Agency information and intelligence seurces and methods 
information (National Security Act of 1947 and CIA Act of 1949). 


8. In regard to the specific access request, the 12 April 1979 


TSQO letter addressed to the DDA laid out ISO0's schedule for 
"inspections" of agency programs during the period April through 
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September 1979. (This letter presumably was sent to each agency's 
“senior official" designated "to conduct an active oversight program 
to ensure effective implementation of the Order" (Section 5-404(a))). 
The letter cited the Director, I1S00's authority (pursuant to Section 
5~202(h)) to conduct on-site reviews of the information security 
program in each agency, and it presented the schedule as "a program 
of detailed on-site inspections of agency programs." The letter 
stated in part that 1800 program analysts would, among other things, 
“devote maximum effort to inspecting actual documents contained in 
agency holdings to review the propriety of classification, proper 
marking, over-use of classification beyond 6 years...." The letter 
requested that the "full extent" of the DDA's authority "be applied 
to insure that the ISO00 analysts are given the necessary cooperation 
and access to classified information as required to accomplish their 
duties under this oversight program. " 


9. Based on the outline of responsibilities in paragraphs 2 
thru 7 above, [S00 inspection of Agency documents to review propriety 
of classification level, duration, and marking is a legitimate over- 
Sight function. However, such inspection must be accomplished in a 
manner consistent with our statutory responsibilities to protect 
information from disclosure. Although the Order provides that the 
DCI may formally deny access to information (subject to appeal), it 
would be preferable to reach agreement with IS00, in advance of any 
inspection, on ground rules that will properly balance ISO0 responsi- 
bilities and our security concerns. When we spoke to the Director, 
ISOO0 on 19 April 1979, he took a cooperative approach to the access 
question, stating he realized there were certain areas of Agency 
information to which ISO00 personnel should not have access for 
"inspection" purposes. Accordingly, the following three options 
for handling access by ISOO personnel are presented, followed by a 
brief discussion and recommendation. 


Option 1 - Staff-like Access: face Keke. 


a. Staff-like access W 


d require staff-type security 
clearances, including i 


-Jevel polygraph examination. 


b. The office sponsoring (or responsible for) the inspection 
team would request and justify such clearances. 


c. The Office of Security would do a file review on the 


clearances the individuals now hold to see if they are adequate 
under DCID 1/14 standards. 
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d. When OS conducts such a full investigation and grants 
staff-type clearances, the cleared individuals may be authorized to fe seul 
pecmbye a badge; but this would depend on other factors such as 
frequency of visits. 


Option 2 - Memorandum of Understanding 


a. A Memorandum of Understanding between the DCI and the 
Director, IS00, would specify ISOO areas of interest. 


b. The MOU also would specify agreed procedures covering: 
pre-screening information, providing access to information determined 
to be "relevant" to the specified ISO00 areas of interest, and with- 
holding or deleting information that is not "relevant" or that reveals 
intelligence sources and methods; review of inspector's notes for 
proper classification; requirements for handling and storage of any 
Agency classified information taken off premises; and other appropriate 
details. 


c. If the procedures specified in the MOU were followed, the 
1S00 personnel's normal GSA clearances, SCI clearances, and Agency 
liaison clearances would suffice. 


Option 3 - Agreed Procedures 


a. Draft procedures would be prepared, covering access to 
Agency information in the possession of other agencies as well as in 
our possession, and providing for pre-screening and for withholding 
or sanitizing where appropriate. 


b. The procedures would not specify IS00 areas of interest 
in detail, but rather provide for this to be determined in the context 
of each visit. Other matters would be covered as in Option 2. 


c. The procedures would be agreed to informally by the AI/DDA 
and D/1SO0, and coordinated within the Agency by the AI/DDA. 


d. The final agreed procedures would be sent to D/ISOO under 
a letter from the DDA and serve as the basis for any IS00 access. 


e. The normal GSA clearances, SCI clearances, and Agency 
liaison clearances would suffice. 
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10. It is recommended that we pursue Option 3. Staff-like 
access (Option 1) is not necessary in view of ISOO responsibilities 
and frequency of visits. A Memorandum of Understanding (Option 2) 
would be too formal and inflexible in view of our Executive Branch 
relationship with ISOO and the difficulty of specifying ISOO areas 
of interest in advance, in terms of specific subject matter. 

Tle Propereel ave 


11. Mtv BEV Gaia by, 1500 access procedures 43 attached. 
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Attachment 


CONCUR: 
Office of Security 


Office of General Counsel 
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Distribution: 
Original - AI/DDA (Return to RAB for ISO0 file) 
1 - AI/DDA 
OGC 
- OS 
IPS 
TSAS/CRG 
~- RAB (hold) 


ed ed et 
t 


Approved For Release 2005/08/15 : CIA-RDP87B01034R000200070014-2 


STAT 


